Wednesday, 14 June 2017

I am me

I have been pondering a bit on "identity"...

This is not a simple matter, and mostly I am looking at this through the eyes of the techie. The way in which one identifies a user of a computer, for example. But it is a bit more complex than that.

Roles

One issue is that we often play many roles. In some cases the concept of an "identity" in a computer system may sensibly apply to a role that a person plays, such as "The System Administrator". Even the role in a company, such as "Managing Director". For a lot of systems there may be a role that persists beyond changes of the person taking on that role. Ideally in a computer system you want "identity" to actually relate to a person, and have a separate linkage of that person to the role they play, currently - a linkage that can change later. A lot of systems do not quite work like that.

Even knowing my identity, I have many roles I play when interacting with systems. If all systems could have the same way to actually establish my identity first and then see which roles may apply to them, that would be "neater" in many ways. At present, each system, even those that understand roles as separate from identity, have to have identity recognition which is separate to each other system.

In an ideal world we would be able to identify ourselves in some simple and consistent way to any system. We would not then need multiple logins and passwords. Such systems are an ideal which is fraught with issues though when it comes to sharing information and trusting third parties.

Multiple realms

Even so, we each may want more than one logical identity. This is not simply different roles, but we live our lives in different circles. Some times we may have almost completely separate lives. I am not talking actual multiple personality issues as a mental disorder here (though that raises some huge issues for "identity" management), but simply the multiple roles we all have in our lives.

For most of us we have "work" and "home" at least as two disconnected sets of people. We may be known by different names even (a nick name at home and family?). With social media we may have totally different lives and groups of people that know us in a different way as they are on one platform or another. Some even have multiple "handles" on social media platforms. Some of us have very different personalities in different social circles even. When you then look at "gaming" we have people that have totally different personas and roles in a context of a different group of people unconnected with their "real" lives.

The fact we can have many distinct social groups and ways in which we interact is also an issue for "identity". We may not even want those circles to be able to overlap - i.e. we do not want someone in one circle to be able to identify us in another circle.

That concept - a social compartmentalisation privacy requirement, would be a hard thing for any "real" identify requirement on computer systems.

Such separation may be even more important for people who have requirements to operate in socially distinct groups - I am thinking largely of those with sexual preferences that may still have stigma and prejudice. We see people that are homosexual finally finding themselves able to declare that to the world, but this is not the only social grouping where distinct identities may have been required in the past and may be required in the future. There will always be prejudice, and even political viewpoints may create distinct social circles which people seek to be kept separate.

I think "social compartmentalisation privacy requirement" may be a concept that the law has yet to understand or even recognise. I do not think it even comes under privacy rights at UN or EU where a right to a private family life may come in. The right to multiple independent lives/identities may not be a thing yet!

Such rights would mean ensuring individuals can maintain multiple independent "identities" within identification systems that emerge over time. Even to the extent of multiple "identity cards" if such things become a reality in the UK ever.

Of course such systems need some what to not allow someone to operate as multiple people, e.g. when it comes to voting or legal liability for crimes.

Identity cards

One thing occasionally called for is identify cards. These serve to create a record in a database, a national database typically, that associates a person in real life with that record and then associates various attributes to that record such as name, address, date of birth, and so on.

The issue is guaranteeing that the actual physical person can uniquely be linked to the record and the record can be linked to the person in a very one to one association. No chance of one person having no ID card or having more than one ID card. This is a challenge.

It would, however, distill the person to one identity, and so break that concept of any privacy between realms.

Fingerprints and the like

There are ways to identify an actual physical person, and these are typically called biometrics.

This is where you get close to a system to ensure a record in a database has a one to one link to an actual person and ties up their "identity" to that one record.

However for the concept of identity theft, where someone claims to be you, these have a big issue that you cannot revoke them or change them. Any system that can be fooled by a fake fingerprint is a problem as you cannot change your fingerprint once compromised.

Such biometrics only work if the actual sensing technology cannot be fooled, and that is not entirely the case yet.

DNA

DNA is, in effect, the holy grail of identity - as everyone has a different DNA. There are, however two big holes in this. Firstly DNA checks usually look for markers and not your entire sequence. Even so, that is probably good enough to identify a unique individual. The second issue, and big fly in the ointment is identical twins, who share the same DNA. So close, but so far. I can almost see a world where identical twins are banned (kill all but one?) or legally treated as the same person sharing the same debts and crimes.

Also, if you believe one of the episodes of CSI (and why not?), you can get people with Chimera DNA where they have two separate sets of DNA in their body. I suspect a Chimera where one set of DNA is shared with an identical twin is almost (but not quite) impossible.

Even so, for most people, a DNA profile to tie to an identity record is pretty final - you cannot escape that identity match.

When identity is not actually simple

There will be special cases, and these have been a challenge for law I believe.

One is, of course, a proper multiple personality disorder. Should each personality have their own "identity" if they can act independently?

Another is Siamese twins, where you may have two people in one body - again, do they get distinct identities.

In both cases you have a challenge if one of the two has debts or crimes, and punishment cannot only apply to one!

Law and order

Obviously, ultimately, law has to handle identity. Your identity is you, the person (baring complications as I mention above). If you committed a crime, you pay the price, not someone else. It matters not what your name is or your address or what a record says is your date of birth.

Identity is all about matching one thing to another. Matching a real person to some record of their actions, such as committing a crime (a fingerprint at the scene, etc).

I am me

You get things like PGP signing events where people sign other people's keys.

At the end of the day they are saying this "tag", or "attribute" matches some other "attribute". Ultimately this person that has in their mind the memory of the pass phrase for this secret key is associated with this "identity" such as a name or address or DOB...

I have said before in such cases, I am me. I do not need a passport to prove I am me, all that does is associate a name, DOB and passport number with me. I am me, here, now, I will enter pass phrase for this key, so you can see this key is mine (or a gullible friend's key) - take a picture if you like and link that to the key - that is one way to identify me the person in front of you...

Identity comes down to the ways we address real people - linking that addressing (name, twitter handle, whatever) to a real person. And such things are improving all of the time.

Allowing a person to legally maintain more than one identity (even if not for crime or debt or voting) is a challenge we may not have considered fully.

3 comments:

  1. Nobody with the power to do something about it has any incentive to allow the maintenance of multiple identities. Social network companies make more money the denser the social graph they can draw. Governments always want to be able to track individuals, and can always break the rules for their own people.

    (This is not my only OpenID URL.)

    ReplyDelete
  2. There are risks in relying on DNA as a gold standard of (corporeal) identity: think, for example, of mosaicism[1], and mutation (with aging, cancer, etc.), sample contamination, etc.

    With any form of authentication, the best we can hope for is a probability. We then need to think about the purpose of the authentication, and have regard to Bayesian statistics. For example: if the DNA analysis distinguishes Alice from others with a 1 in a million chance of a false positive, we might consider it OK for access to Alice's bank account, but her defence counsel in the murder case would be quite right to point out that a further 50-odd people in the country would share the "same" DNA analysis. On that evidence alone, the probability that "she dunnit" is about 2%.

    [1] https://en.wikipedia.org/wiki/Mosaic_(genetics)

    ReplyDelete
  3. Correction:
    s/a 1 in a million chance of a false positive/
    a 1 in a million chance of someone else generating the same analysis/

    ReplyDelete